A flaw was found in the way gnutls handled malformed TLS 1.3 asynchronous messages. An attacker could use this flaw to crash an application compiled with gnutls via invalid pointer access.
It was discovered in gnutls upstream that there is an uninitialized pointer access in gnutls versions 3.6.4 or later which can be triggered by certain post-handshake messages.
Created gnutls tracking bugs for this issue:
Affects: fedora-all [bug 1693214]
the tlsfuzzer test-tls13-keyupdate.py test script can be used in concert with valgrind to verify the fix
1 - https://github.com/tomato42/tlsfuzzer
2 - https://github.com/tomato42/tlsfuzzer/pull/501
it seems that versions since 3.6.4 are affected (not 3.6.3 as originally pointed out by Pedro in the 1st comment).
Is also 3.6.3 affected?
(In reply to Leonardo Taccari from comment #5)
> it seems that versions since 3.6.4 are affected (not 3.6.3 as originally
> pointed out by Pedro in the 1st comment).
> Is also 3.6.3 affected?
Yes, I believe you are right. Fixed.
Thank you for pointing that out.
Name: Hubert Kario (Red Hat QE BaseOS Security team)
Upstream commit: https://gitlab.com/gnutls/gnutls/commit/96e07075e8f105b13e76b11e493d5aa2dd937226
(In reply to Huzaifa S. Sidhpurwala from comment #7)
> Name: Hubert Kario (Red Hat QE BaseOS Security team)
Actually the issue was identified by Daiki Ueno (Red Hat BaseOS Crypto team), I've just slightly extended tests originally written by Róbert Kolcún.